Skip to main content

Field suggestion

Description

If introspection is disabled on your target, Field Suggestion still allow users infer the entire schema, with a tool like Clairvoyance.

If you query a field with a typo, GraphQL will attempt to suggest fields close to what was requested. Example:

  Error: Cannot query field "createSesion" on type "RootMutation". Did you mean "createSession", "createUser", "createFile", or "createImage"?

Remediation

Disable Field Suggestion in production.

GraphQL Specific

Apollo

Install our open source package GraphQL Armor for Apollo.

Graphqlgo

graphql-go/graphql does not allow to disable field suggestion as of now.

However, you can filter field suggestion by discarding answers containing "Did you mean" with this middleware :

type FilterResponseWriter struct {
  writer    http.ResponseWriter
  blacklist []string
  errorPtr  *bool
}

func (w FilterResponseWriter) Header() http.Header {
  return w.writer.Header()
}

func (w FilterResponseWriter) Write(data []byte) (int, error) {
  if *w.errorPtr {
    return 0, errors.New("write error")
  }
  for _, s := range w.blacklist {
    if bytes.Contains(data, []byte(s)) {
      *w.errorPtr = true
      return 0, errors.New("field not found")
    }
  }
  return w.writer.Write(data)
}

func (w FilterResponseWriter) WriteHeader(statusCode int) {
  w.writer.WriteHeader(statusCode)
}

func blockFieldSuggestion(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    var error bool
    newWriter := &FilterResponseWriter{writer: w, blacklist: []string{"Did you mean \\\""}, errorPtr: &error}
    next.ServeHTTP(newWriter, r)
    if error {
      w.Write([]byte("{\"errors\":[{\"message\":\"Field not found.\"}],\"data\":null}"))
    }
  })
}

Then you apply the middleware to your endpoint :

func main(){
  ...
  h := handler.New(&handler.Config{
    Schema:   &schema
  })
  http.Handle("/graphql", blockFieldSuggestion(h))
}
Graphqlyoga

Install our open source package GraphQL Armor for Yoga.

Or, you can use the standalone envelop plugin.

Configuration

Identifier: information_disclosure/graphql_field_suggestion

Examples

Ignore this check

{
    "checks": {
        "information_disclosure/graphql_field_suggestion": {
            "skip": true
        }
    }
}

Score

  • Escape Severity: MEDIUM
    • OWASP: API7:2023
    • PCI DSS: 6.5.5
    • CWE
      • 200
      • 489
      • 668
      • 1295
    • WASC: WASC-15

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References